Add microseconds to filename format to make it harder to predict

francoisjacquet · Apr 11, 2023 · 09d5afa · 09d5afa
1 parent aa40df6
commit 09d5afa
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 4 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -10,6 +10,7 @@ Changes in 11.0
 - Translate "Zip" & "Zipcode" to "Zip Code" in GetStuList.fnc.php, MyReport.php, Registration.fnc.php, Schools.php & Address.inc.php
 - HTML Text input min size is 2 in Inputs.php
 - Skip School Period column if has no students scheduled for selected date in Administration.php
+- Add microseconds to filename format to make it harder to predict in FileUpload.fnc.php, Accounting/functions.php, PortalNotes.php & Student_Billing/functions.php
 
 Changes in 10.9.3
 -----------------

diff --git a/ProgramFunctions/FileUpload.fnc.php b/ProgramFunctions/FileUpload.fnc.php
@@ -408,7 +408,8 @@ function FilesUploadUpdate( $table, $request, $path, $id = 0 )
 			mb_strrpos( $_FILES[ $input ]['name'], '.' )
 		) );
 
-		$file_name_no_ext .= '_' . date( 'Y-m-d_His' );
+		// @since 11.0 Add microseconds to filename format to make it harder to predict.
+		$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
 
 		$new_file = FileUpload(
 			$input,

diff --git a/modules/Accounting/functions.inc.php b/modules/Accounting/functions.inc.php
@@ -351,7 +351,8 @@ function _saveSalariesFile( $id )
 		mb_strrpos( $_FILES[ $input ]['name'], '.' )
 	) );
 
-	$file_name_no_ext .= '_' . date( 'Y-m-d_His' );
+	// @since 11.0 Add microseconds to filename format to make it harder to predict.
+	$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
 
 	$file_attached = FileUpload(
 		$input,

diff --git a/modules/School_Setup/PortalNotes.php b/modules/School_Setup/PortalNotes.php
@@ -127,12 +127,24 @@
 
 				if ( isset( $_FILES['FILE_ATTACHED_FILE'] ) )
 				{
+					$file_name_no_ext = no_accents( mb_substr(
+						$_FILES['FILE_ATTACHED_FILE']['name'],
+						0,
+						mb_strrpos( $_FILES['FILE_ATTACHED_FILE']['name'], '.' )
+					) );
+
+					// @since 11.0 Add microseconds to filename format to make it harder to predict.
+					$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
+
+					// File attached to portal notes
 					$columns['FILE_ATTACHED'] = FileUpload(
 						'FILE_ATTACHED_FILE',
 						$PortalNotesFilesPath,
 						FileExtensionWhiteList(),
 						0,
-						$error
+						$error,
+						'',
+						$file_name_no_ext
 					);
 
 					// @since 6.8 Fix SQL error when quote in uploaded file name.

diff --git a/modules/Student_Billing/functions.inc.php b/modules/Student_Billing/functions.inc.php
@@ -429,7 +429,8 @@ function _saveFeesFile( $id )
 		mb_strrpos( $_FILES[ $input ]['name'], '.' )
 	) );
 
-	$file_name_no_ext .= '_' . date( 'Y-m-d_His' );
+	// @since 11.0 Add microseconds to filename format to make it harder to predict.
+	$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
 
 	$file_attached = FileUpload(
 		$input,